AT&T Hacker ‘Weev’ Sentenced to 3.5 Years in Prison

Photo: Jim Merithew/Wired.com

[Update 12:12pm PST: with news about EFF and others joining the defense team for Auernheimer’s appeal.]

A hacker charged with federal crimes for obtaining the personal data of more than 100,000 iPad owners from AT&T’s publicly accessible website was sentenced on Monday to 41 months in prison followed by three years of supervised release.

The judge handed down the sentence following a minor skirmish in the courtroom when the defendant, Andrew Auernheimer, aka Weev, was pinned and cuffed. Auernheimer was reportedly asked to hand the court a mobile phone he had with him during the hearing, and after handing it to his defense attorney instead, court agents cuffed him.

Andrew Auernheimer, 26, of Fayetteville, Arkansas, was found guilty last November in federal court in New Jersey of one count of identity fraud and one count of conspiracy to access a computer without authorization after he and a colleague created a program to collect information on iPad owners that had been exposed by a security hole in AT&T’s web site.

The two essentially wrote a program to send Get requests to the web site.

The controversial case is one of a string of highly criticized prosecutions of security researchers who have been charged with serious computer crimes under the Computer Fraud and Abuse Act, prompting calls for reform of the legislation to make clear distinctions between criminal hacking and simple unauthorized access and to protect researchers whose activities are not criminal in intent.

Computer security researcher Charlie Miller tweeted Monday morning in reference to Auernheimer’s case that any security researcher could be facing the same fate.

We could all go to jail for security research at any moment, and a jury would happily convict us.

Auernheimer and Daniel Spitler, 26, of San Francisco, California, were charged last year after the two discovered a hole in AT&T’s website in 2010 that allowed anyone to obtain the e-mail address and ICC-ID of iPad users. The ICC-ID is a unique identifier that’s used to authenticate the SIM card in a customer’s iPad to AT&T’s network.

The iPad was released by Apple in April 2010. AT&T provided internet access for some iPad owners through its 3G wireless network, but customers had to provide AT&T with personal data when opening their accounts, including their e-mail address. AT&T linked the user’s e-mail address to the ICC-ID, and each time the user accessed the AT&T website, the site recognized the ICC-ID and displayed the user’s e-mail address.

Auernheimer and Spitler discovered that the site would leak e-mail addresses to anyone who provided it with a ICC-ID. So the two wrote a script – which they dubbed the “iPad 3G Account Slurper” — to mimic the behavior of numerous iPads contacting the web site in order to harvest the e-mail addresses of iPad users.

According to authorities, they obtained the ICC-ID and e-mail address for about 120,000 iPad users, including dozens of elite iPad early adopters such as New York Mayor Michael Bloomberg, then-White House Chief of Staff Rahm Emanuel, anchorwoman Diane Sawyer of ABC News, New York Times CEO Janet Robinson and Col. William Eldredge, commander of the 28th Operations Group at Ellsworth Air Force Base in South Dakota, as well as dozens of people at NASA, the Justice Department, the Defense Department, the Department of Homeland Security and other government offices.

The two contacted the Gawker website to report the hole, a practice often followed by security researchers to call public attention to security holes that affect the public, and provided the website with harvested data as proof of the vulnerability. Gawker reported at the time that the vulnerability was discovered by a group calling itself Goatse Security.

AT&T maintained that the two did not contact it directly about the vulnerability and learned about the problem only from a “business customer.”

Auernheimer likened his actions to walking down the street and writing down the physical addresses of buildings, only to be charged with identity theft. He later sent an e-mail to the U.S. attorney’s office in New Jersey, blaming AT&T for exposing customer data, authorities say.

“AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders,” he wrote, according to prosecutors. “I advise you to discuss this matter with your family, your friends, victims of crimes you have prosecuted, and your teachers for they are the people who would have been harmed had AT&T been allowed to silently bury their negligent endangerment of United States infrastructure.”

But prosecutors say his interest went beyond concern about the security of customer data.

According to the criminal complaint, a confidential informant helped federal authorities make their case against the two defendants by providing them with 150 pages of chat logs from an IRC channel where, prosecutors said, Spitler and Auernheimer admitted conducting the breach to tarnish AT&T’s reputation and promote themselves and Goatse Security.

Spitler pleaded guilty to the charges last year.

Upon his conviction last year, Auernheimer tweeted to supporters that he expected the verdict and planned to appeal.

Hey epals don’t worry! We went in knowing there would be a guilty here. I’m appealing of course.

On Monday, following the announcement of his sentence, the Electronic Frontier Foundation announced that it had joined Auernheimer’s appellate team.

“Weev’s case shows just how problematic the Computer Fraud and Abuse Act is,” EFF Staff Attorney Hanni Fakhoury said in a statement. “We look forward to reversing the trial court’s decision on appeal. In the meantime, Congress should amend the CFAA to make sure we don’t have more Aaron Swartzs and Andrew Auernheimers in the future.”

EFF joins a powerhouse team defending Auernheimer on appeal, including George Washington University law professor Orin Kerr, as well as Tor Ekeland and Mark H. Jaffe of Tor Ekeland P.C. and Nace Naumoski.

Auernheimer has been outspoken about criticizing AT&T and the government for pursuing prosecution. The day before his sentencing he posted a comment on Reddit saying, “My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker. I won’t nearly be as nice next time.”

On Monday morning, federal prosecutors used his Reddit post to support their call for a four-year sentence.

In addition to the 41 months sentence handed down to Auernheimer on Monday, the judge also ordered him and Spitler to pay $73,000 in restitution.

Here’s The Thing With Ad Blockers

We get it: Ads aren’t what you’re here for. But ads help us keep the lights on. So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.